70-298 Designing Security for a MS Windows Server 2003 Network Practice Exam

Demo Question 1.

Willow Bridge, Ltd., Scenario Background Willow Bridge, Ltd. manufactures security systems. They distribute these products to retail stores and the public. A company named Bilco.com provides components for Willow Bridge, Ltd. products. Willow Bridge, Ltd. recently bought Bilco.com. Physical Locations The Willow Bridge, Ltd. headquarters are located in Chicago. The company has branch offices in New York and Los Angeles. Bilco.com is located in Detroit. The Willow Bridge, Ltd. branch offices are connected to the head quarters via a T1 leased line. And the Chicago office is connected to the Internet through a T1 leased line. The Bilco.com office connects to Chicago through a VPN connection. The Chicago office consists of the Finance, Marketing, Sales, Human Resources and IT departments. The Los Angeles and New York offices: consist of a Sales department. The Bilco.com office in Detroit consists of the Research and Development department. Planned Changes Willow Bridge, Ltd. plans to make the following changes. 1. The Finance Department client computers will be upgraded to Microsoft Windows XP Professional. 2. An organizational unit (OU) named Research and Development will be created in the willowbridge.com domain. 3. Three child OUs will be created in the Research and Development OU: Research, Wireless Clients, and desktop clients. 4. A server named RRAS1 will be deployed on the internal network 5. Two remote access servers named VPN1 and VPN2 will be configured for the VPN connection between the Chicago and Detroit offices. 6. A wireless access point will be deployed in the Chicago office. 7. The Detroit office will also make use of a Web server named WEB2 8. Our customers will in future be able to use the willowbridge.com Web site to keep track of their orders and its status that they had placed. Active Directory The Willow Bridge, Ltd. network consists of single Active Directory domain named willowbridge.com. The willowbridge.com domain is located in the Chicago office, and all domain controllers run Windows Server 2003. The Bilco.com domain, after the takeover, has been migrated to the willowbridge.com Active Directory domain and will thus constitute the Research and Development department of willowbridge.com The OU structure for the network is illustrated in the OU Structure exhibit. Six top-level organizational units (OUs) have been created. These OUs holds the user and computer accounts of their respective departmental users. These OUs represent the different departments: 1. Finance OU 2. Marketing OU 3. Sales OU 4. Human Resources OU 5. IT OU 6. Research and Development OU The Sales OU contains three child OUs that represents the different offices where there are Sales Department users, named: Chicago, Los Angeles, and New York; respectively. The Research and Development OU contains three child OUs that holds all the computer accounts of the Bilco.com users based on their functions. These child OUs are named Wireless clients, Desktop clients, Users, respectively. Network Infrastructure All servers in the willowbridge.com network run Microsoft Windows Server 2003. All willowbridge.com client computers run a mix of Microsoft Windows 2000 Professional, Microsoft Windows NT Workstation 4.0, and Microsoft Windows XP Professional with the latest service pack. Each office will have at least one domain controller to support local authentication. There is a router-to-router VPN connection between the Chicago office and the Detroit (Bilco.com) office. Two remote access servers named VPN1 and VPN2 will be configured for the VPN connection. A dial-up connection is configured on a server named RAS1. RAS1 will be deployed on the internal network and will be used by the Sales Department users who are unable to access an ISP when they are traveling. A wireless network has been set up on the Chicago office. Wireless client computers in Chicago have IEEE 802.11g wireless adapters. These wireless computers are assigned to the IT administrators. The Chicago office also holds two DNS servers named DNS1 and DNS2 respectively. DNS1 and DNS2 are both configured with the default remote Desktop connection settings. 1. DNS1 is used to provide host name resolution services for the internal network clients and will host the standard primary zone local.willowbridge.com. DNS1 is located on the internal network in the Chicago office. 2. DNS2 is used to provide external host name resolution services and will host the external primary zone willowbridge.com. DNS2 is located on the perimeter network in the Chicago office. Web Services All Web sites are hosted by using the Internet Information Server (IIS) 6.0. A web server named WEB1 is located on the perimeter network and is used to host the willowbridge.com Web site. This Web site is used for marketing, order status and contact information purposes. This Web site also has a secure section that is used by the Sales Department to provide them with access to the Willow Bridge, Ltd. inventory and order applications. A Web server named WEB2 is located on the Willow Bridge, Ltd. internal network and is used for Web application development and testing purposes. The Detroit office will also make use of WEB2 via the VPN tunnel. Problem Statements: Chief Security Officer "We need to implement a public key infrastructure (PKI) to include the Detroit office, and our branch offices. We need to deploy certificates to increase security for all our new projects that are in the pipeline. All security applications and programs should be tested for compatibility before authorization for installation is granted. We must also ensure that our users do not install unauthorized software on the company client computers." "We must ensure that all our servers that provide connections to our network are secure. All connections to these servers must be authenticated." IT Department Manager "The Chicago office has the wireless access point. We need to allow administrators the ability to access and modify network configurations from all areas of this office. Currently the non-administrative users can also connect to the wireless section of the network using their personal laptop computers. This should not be allowed. Only the IT users should be able to connect to the willowbridge.com wireless network." "We need to deploy security patches efficiently. In the past we have relied on users to download security updates directly from the official Microsoft Windows Update Web site. This led to a situation where some users plainly neglected to perform updates in a timely manner. The consequence was thus that we became vulnerable to Internet-spread viruses. All security patches must be tested and approved by the IT department in the Chicago office. We need to make sure that our patch management system must support compatibility testing of all updates before the updates are deployed to the production network. We want to enable all client computers automatically update themselves. We also want to be able to ascertain which security patches have been applied to client computers." IT administrator "We recently had a server failure. This could have been prevented. However, be that as it may, a non-administrative user connected to DNS1 by accident and modified some of the registry settings on DNS1, with the result that we had to make do without this server until we could restore the system state from our backup. We need to ensure that both DNS1 and DNS2 are protected against this accidental modification. I want to see only administrators able to remotely connect to DNS1 and DNS2 to modify the registry settings. I also want to have the ability to detect all attempts to log on interactively to either of these servers." Web site administrator "The Sales Department makes use of the willowbridge.com Web site to provide them with access to the Willow Bridge, Ltd. inventory and order applications when traveling. Our customers will in future also make use of the willowbridge.com Web site to keep track of their orders and its status that they had placed. We must make allowances for our customers. However, we must also ensure that they register to be able to access this portion of the Web site. This registration activity must be stored in a shared folder named Customer Registration. Customer Registration can be located on a file server named FILE1. At present the Users group has been granted Allow-Full Control permission over Customer Registration." End User - Finance Department "We know it has become a necessity to upgrade the client computers in the Finance department. We users make use of a client/server application where the client portion was developed to run on Microsoft Windows NT Workstation 4.0. We do not have access to an upgrade for this application for ten to twelve months, to this end I want to suggest that we postpone the upgrade of the Finance Department client computers." Security The following security requirements must be considered: 1. Only administrators should be allowed to modify the registry on DNS1 and DNS2. 2. Security updates and patches are to be deployed in a centralized, efficient manner that minimizes traffic over WAN connections. All solutions must ensure that WAN traffic is kept to a minimum. 3. All servers and all client computers' baseline security configuration on the willowbridge.com network must be standardized. 4. No unauthorized software must be installed on any of the computers on the Willow Bridge, Ltd. network. 5. No users other than the authenticated wireless clients should be able to connect to the wireless network in the Chicago office. No unauthorized wireless access points should be allowed to join the network. 6. The Chicago office administrators must make use of two-factor authentication to access the wireless network. 7. The Chicago office administrators must be able to roam between access points. 8. Certificates should be distributed to network users. These certificates should not require user intervention. 9. The Willow Bridge, Ltd. PKI should be tightly integrated with Active Directory. Topic 3, Willow Bridge, Ltd. (11 Questions) You need to design an access control strategy for the wireless access point in the Chicago office. Take care in your solution to address the IT manager's concerns. What should you do?

A. Use EAP-TLS for authentication purposes.
B. Use PEAP-TLS for authentication purposes.
C. Use EAP-MS-CHAP v2 for authentication purposes.
D. Use PEAP with MS-CHAP v2 for authentication purposes.


Display Answer

Answer: B

Explanation: To provide the Chicago administrators with two-factor authentication that also supports fast reconnect, you should configure wireless client to use PEAP-TLS. PEAP has the flexibility of EAP and in addition also provides additional security in that it incorporates Secure Sockets Layer (SSL) technology to protect authentication communications. 1. A wireless network has been set up on the Chicago office. Wireless client computers in Chicago have IEEE 802.11g wireless adapters. These wireless computers are assigned to the IT administrators. 2. Currently the non-administrative users can also connect to the wireless section of the network using their personal laptop computers. This should not be allowed. Only the IT users should be able to connect to the willowbridge.com wireless network Incorrect